I recently had a client whose IIS web server was being hacked. Based on files being changed we could tell what time the hack happened. In this kind of situation you need to have access to server and network activity history. In this case, we wanted to see the network activity to the server at the time the files were changed.
In the above situation the logical logs to look at are the Windows Server Event Logs, Internet Information Server Logs, and Network Firewall Logs. In our case our Firewall function was being handled by the Cisco ASA5505.
The problem is that the Cisco logs have limited life before they are overwritten with the thousands of new logs produced by "all" the traffic going through this unit. This is normal of most units of this type, since the logs on the system are intended for troubleshooting while working on the unit.
Most networks are not configured to collect and store critical Logs
In turn, we needed to be able to maintain the logs for a longer duration, we also needed to filter the logs we looked at, since looking through thousands of log types would be a waste of resources. From our analysis we knew we wanted to look at http and ftp IP connections to the affected server.
Accordingly, we selected Wiki SysLog Server for the purposes of having a Server on the network that could collect the Logs from the Cisco ASA5505 and turn provide us with the tools to analyze the logs. We also configured the Cisco ASA5505 to only send the corresponding Logs to the Wiki SysLog Server so we did not want to flood the server with unnecessary information.
A SysLog Server should be part of any business running mission critical servers,
in order to be able to collect and analyze the full array of server and network logs.
We hope our insight has been helpful. This is just one of many common IT issues we handle on a daily basis as part of our Network, Server, and Desktop support; or it may be insight resulting from our Website, Mobile App, or Database development projects.
If you would like to take advantage of our insight for your daily IT Support and IT Projects, please feel free to contact us.
Unless listed under our Partners section, we are not affiliated with vendors mentioned in this Blog. Products and Services mentioned in our Blog are based on independent observations made for the benefit of our clients and are based on recent experience in client projects.